Phishing | Breaking Cybersecurity News | The Hacker News

The threat actor known as Patchwork has been attributed to a new spear-phishing campaign targeting Turkish defense contractors with the goal of gathering strategic intelligence. "The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems," Arctic Wolf Labs said in a technical report published this week. The activity, which also singled out an unnamed manufacturer of precision-guided missile systems, appears to be geopolitically motivated as the timing coincides amid deepening defense cooperation between Pakistan and Türkiye, and the recent India-Pakistan military skirmishes. Patchwork, also called APT-C-09, APT-Q-36, Chinastrats, Dropping Elephant, Operation Hangover, Quilted Tiger, and Zinc Emerson, is assessed to be a state-sponsored actor of Indian origin. Known to be active since at least 2009, the hacking group has a track record ...

Russian aerospace and defense industries have become the target of a cyber espionage campaign that delivers a backdoor called EAGLET to facilitate data exfiltration. The activity, dubbed Operation CargoTalon , has been assigned to a threat cluster tracked as UNG0901 (short for Unknown Group 901). "The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) documents — critical to Russian logistics operations," Seqrite Labs researcher Subhajeet Singha said in an analysis published this week. The attack commences with a spear-phishing email bearing cargo delivery-themed lures that contain a ZIP archive, within which is a Windows shortcut (LNK) file that uses PowerShell to display a decoy Microsoft Excel document, while also deploying the EAGLET DLL implant on the host. The decoy document, per Seqrite, references Obltransterminal, a ...

Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. The malware loader, first observed in the wild earlier this year, has been used to distribute DeerStealer , RedLine , StealC , NetSupport RAT , SectopRAT , and even other loaders like Hijack Loader . "It employs dead code injection and packing techniques to hinder analysis," the company said. "After unpacking itself at runtime, it connects to a C2 (command-and-control) server, downloads target modules, and executes them." CastleLoader's modular structure allows it to act as both a delivery mechanism and a staging utility, enabling...

The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama's 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz. "The attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Gh0st RAT or PhantomNet (aka SManager) backdoor onto victim systems," security researchers Sudeep Singh and Roy Tay said in a Wednesday report. This is not the first time Chinese threat actors have resorted to watering hole attacks (aka strategic web compromises), a technique where adversaries break into websites frequently visited by a specific group to infect their devices with malware. Over the past two years, hacking groups like EvilBamboo , Evasive Panda , and TAG-112 have all resorted to the approach to target the Tibetan diaspora with the u...

Mexican organizations are still being targeted by threat actors to deliver a modified version of AllaKore RAT and SystemBC as part of a long-running campaign.  The activity has been attributed by Arctic Wolf Labs to a financially motivated hacking group called Greedy Sponge . It's believed to be active since early 2021, indiscriminately targeting a wide range of sectors, such as retail, agriculture, public sector, entertainment, manufacturing, transportation, commercial services, capital goods, and banking. "The AllaKore RAT payload has been heavily modified to enable the threat actors to send select banking credentials and unique authentication information back to their command-and-control (C2) server, for the purpose of conducting financial fraud," the cybersecurity company said in an analysis published last week. Details of the campaign were first documented by the BlackBerry Research and Intelligence Team (which is now part of Arctic Wolf) in January 2024, with ...

Cybersecurity firm Expel, in an update shared on July 25, 2025, said it's retracting its findings about a phishing attack that it said leveraged cross-device sign-in to get around FIDO account protections despite being not in physical proximity to the authenticating client device. "The evidence does show the targeted user's credentials (username and password) being phished and that the attacker successfully passed password authentication for the targeted user," the company said . "It also shows the user received a QR code from the attacker. This QR code, when scanned by a mobile device, initiates a FIDO Cross-Device Authentication flow, which according to FIDO specification requires local proximity to the device which generated the QR code (the WebAuthn client). When properly implemented, without proximity, the request will time out and fail." The company further said that while the attackers managed to breach the password barrier, further analysis of t...

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers' npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. The list of affected packages and their rogue versions, according to Socket, is listed below - eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) eslint-plugin-prettier (versions 4.2.2 and 4.2.3) synckit (version 0.11.9) @pkgr/core (version 0.2.8) napi-postinstall (version 0.3.1) got-fetch (versions 5.1.11 and 5.1.12) is (versions 3.3.1 and 5.0.0) "The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution," the software supply chain security firm said. The development comes in the aftermath of a phishing campaign that...

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a phishing campaign that's designed to deliver a malware codenamed LAMEHUG . "An obvious feature of LAMEHUG is the use of LLM (large language model), used to generate commands based on their textual representation (description)," CERT-UA said in a Thursday advisory. The activity has been attributed with medium confidence to a Russian state-sponsored hacking group tracked as APT28 , which is also known as Fancy Bear, Forest Blizzard, Sednit, Sofacy, and UAC-0001. The cybersecurity agency said it found the malware after receiving reports on July 10, 2025, about suspicious emails sent from compromised accounts and impersonating ministry officials. The emails targeted executive government authorities. Present within these emails was a ZIP archive that, in turn, contained the LAMEHUG payload in the form of three different variants named "Додаток.pif, "AI_generator_uncensored_Can...

Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025. "The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use," Cisco Talos researchers Chris Neal and Craig Jackson said in a report published today. The cybersecurity company said the attack chains leverage a malware loader called Emmenhtal (aka PEAKLIGHT) to deliver Amadey, which, for its part, downloads various custom payloads from public GitHub repositories operated by the threat actors. The activity shares tactical similarities with an email phishing campaign that used invoice payment and billing-related lures to distribute SmokeLoader via Emmenhtal in February 2025 in attacks targeting Ukrainian entities.

The Taiwanese semiconductor industry has become the target of spear-phishing campaigns undertaken by three previously undocumented Chinese state-sponsored threat actors. "Targets of these campaigns ranged from organizations involved in the manufacturing, design, and testing of semiconductors and integrated circuits, wider equipment and services supply chain entities within this sector, as well as financial investment analysts specializing in the Taiwanese semiconductor market," Proofpoint said in a report published Wednesday. The activity, per the enterprise security firm, took place between March and June 2025. They have been attributed to three China-aligned clusters it tracks as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp. UNK_FistBump is said to have targeted semiconductor design, packaging, manufacturing, and supply chain organizations in employment-themed phishing campaigns that resulted in the delivery of Cobalt Strike or a C-based custom backdoor dubbed Volde...

Social engineering attacks have entered a new era—and they're coming fast, smart, and deeply personalized. It's no longer just suspicious emails in your spam folder. Today's attackers use generative AI, stolen branding assets, and deepfake tools to mimic your executives, hijack your social channels, and create convincing fakes of your website, emails, and even voice. They don't just spoof— they impersonate. Modern attackers aren't relying on chance. They're running long-term, multi-channel campaigns across email, LinkedIn, SMS, and even support portals—targeting your employees, customers, and partners. Whether it's a fake recruiter reaching out on LinkedIn, a lookalike login page sent via text, or a cloned CFO demanding a wire transfer, the tactics are faster, more adaptive, and increasingly automated using AI. The result? Even trained users are falling for sophisticated fakes—because they're not just phishing links anymore. They're operations. This Webinar Shows You How to Fight...

While phishing and ransomware dominate headlines, another critical risk quietly persists across most enterprises: exposed Git repositories leaking sensitive data. A risk that silently creates shadow access into core systems Git is the backbone of modern software development, hosting millions of repositories and serving thousands of organizations worldwide. Yet, amid the daily hustle of shipping code, developers may inadvertently leave behind API keys, tokens, or passwords in configuration files and code files, effectively handing attackers the keys to the kingdom. This isn't just about poor hygiene; it's a systemic and growing supply chain risk. As cyber threats become more sophisticated, so do compliance requirements. Security frameworks like NIS2, SOC2, and ISO 27001 now demand proof that software delivery pipelines are hardened and third-party risk is controlled. The message is clear: securing your Git repositories is no longer optional, it's essential. Below, we look at the ris...

Cryptocurrency users are the target of an ongoing social engineering campaign that employs fake startup companies to trick users into downloading malware that can drain digital assets from both Windows and macOS systems. "These malicious operations impersonate AI, gaming, and Web3 firms using spoofed social media accounts and project documentation hosted on legitimate platforms like Notion and GitHub," Darktrace researcher Tara Gould said in a report shared with The Hacker News. The elaborate social media scam has been for sometime now, with a previous iteration in December 2024 leveraging bogus videoconferencing platforms to dupe victims into joining a meeting under the pretext of discussing an investment opportunity after approaching them on messaging apps like Telegram. Users who ended up downloading the purported meeting software were stealthily infected by stealer malware such as Realst. The campaign was codenamed Meeten by Cado Security (which was acquired by Dark...

The U.K. National Crime Agency (NCA) on Thursday announced that four people have been arrested in connection with cyber attacks targeting major retailers Marks & Spencer, Co-op, and Harrods. The arrested individuals include two men aged 19, a third aged 17, and a 20-year-old woman. They were apprehended in the West Midlands and London on suspicion of Computer Misuse Act offenses, blackmail, money laundering, and participating in the activities of an organized crime group. All four suspects were arrested from their homes and their electronic devices have been seized for further forensic analysis. Their names were not disclosed. "Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency's highest priorities," Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said in a statement. "Today's arrests are a significant step in that investigation ...

A threat actor with suspected ties to India has been observed targeting a European foreign affairs ministry with malware capable of harvesting sensitive data from compromised hosts. The activity has been attributed by Trellix Advanced Research Center to an advanced persistent threat (APT) group called DoNot Team , which is also known as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger. It's been assessed to be active since 2016. "DoNot APT is known for using custom-built Windows malware, including backdoors like YTY and GEdit, often delivered through spear-phishing emails or malicious documents," Trellix researchers Aniket Choukde, Aparna Aripirala, Alisha Kadam, Akhil Reddy, Pham Duy Phuc, and Alex Lanstein said . "This threat group typically targets government entities, foreign ministries, defense organizations, and NGOs especially those in South Asia and Europe." The attack chain commences with phishing emails that aim to trick rec...

Cybersecurity researchers have discovered an Android banking malware campaign that has leveraged a trojan named Anatsa to target users in North America using malicious apps published on Google's official app marketplace. The malware, disguised as a "PDF Update" to a document viewer app, has been caught serving a deceptive overlay when users attempt to access their banking application, claiming the service has been temporarily suspended as part of scheduled maintenance. "This marks at least the third instance of Anatsa focusing its operations on mobile banking customers in the United States and Canada," Dutch mobile security company ThreatFabric said in a report shared with The Hacker News. "As with previous campaigns, Anatsa is being distributed via the official Google Play Store." Anatsa, also referred to as TeaBot and Toddler, has been known to be active since at least 2020, typically delivered to victims via dropper apps. Early last year, An...